SA-ES : Subspace Activation Evolution Strategy for Black-Box Adversarial Attacks
Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review
Author(s)
Related Research Unit(s)
Detail(s)
Original language | English |
---|---|
Pages (from-to) | 780-790 |
Number of pages | 11 |
Journal / Publication | IEEE Transactions on Emerging Topics in Computational Intelligence |
Volume | 7 |
Issue number | 3 |
Online published | 28 Oct 2022 |
Publication status | Published - Jun 2023 |
Link(s)
Abstract
Deep neural networks are vulnerable to adversarial examples that alter the output significantly with imperceptible change in the input. In our black-box setting, the adversarial attacker can only query the model to predict the value after the softmax layer without accessing the underlying model. Currently, generating adversarial examples with high qualifications in the query-limited setting and investigating the distribution of adversarial examples are two main challenges in the black-box attack. In this paper, we propose a zeroth-order optimization method for the black-box adversarial attack, termed subspace activation evolution strategy (SA-ES). It captures the most promising direction for generating more convincing adversarial examples.Moreover, instead of only searching for one reliable adversarial example for an original input, SA-ES finds a distribution of adversarial examples, such that a sample drawn from this distribution is likely an adversarial example. We conduct comprehensive experiments on various data sets and validate that the proposed algorithm can efficiently find perturbation-sensitive regions of an image and stably explore the distribution of adversarial examples with the limited query, and outperforms the existing methods. In addition, we apply SA-ES to physical reality black-box attacks, which effectively generate simulated physical adversarial examples for the adversarial training model.
Research Area(s)
- Digital images, Distribution, high-quality, Neural networks, Optimization, Perturbation methods, perturbation-sensitive regions, physical attack, Predictive models, Robustness, subspace activation evolution strategy, Training
Citation Format(s)
SA-ES: Subspace Activation Evolution Strategy for Black-Box Adversarial Attacks. / Li, Zhenhua; Cheng, Huilin; Cai, Xinye et al.
In: IEEE Transactions on Emerging Topics in Computational Intelligence, Vol. 7, No. 3, 06.2023, p. 780-790.
In: IEEE Transactions on Emerging Topics in Computational Intelligence, Vol. 7, No. 3, 06.2023, p. 780-790.
Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review